By clicking or navigating this website site, you agree to allow our collection of information on Scaleway to offer you an optimal user experience and to keep track of statistics through cookies. Learn more about our Cookie Policy.

How to prevent outgoing DDOS

Important: The explanations given below are known best-practices. They do not guarantee that your resources will not be locked if we detect that they are part of a DDoS attack.

DoS Overview

Denial of Service (DoS) attack is an attack through which a person can render a system unusable, or significantly slow it down for legitimate users, by overloading its resources.

The goal of a DoS is not to gain unauthorized access to machines or data but to prevent legitimate users of a service from using it.

You are responsible for your resources. If a resource you control takes part in a DDOS you will be considered responsible for attacking the target of this DDoS.

Scaleway will lock any resources (instances, Kubernetes cluster, bare-metal server, …) that are identified as a contributor to a DDoS. This lock can be done without prior notice to protect our network and the target network; this is written in our Terms and Conditions (Scaleway, Online).

Preventing Memcache to be used in a DDoS attack

Memcached is a free & open-source, high-performance, distributed memory object caching system. It is used as a key-value store in memory.

Avoid having an NTP server open on the Internet. Try to restrict access to localhost only.

If you need to have an NTP server open, be sure to specify which range of IP can access your NTP server.

Preventing DNS to be used in a DDoS attack

Domain Name System (DNS) is a commonly used protocol to perform DDoS attacks because of its UDP based protocol and lack of security features by default. DNS amplification attacks almost always take advantage of open resolvers. An open resolver is a DNS server that answers queries for a domain name without restrictions: anybody on the Internet can query it and it will answers. This makes it particularly troublesome as a spoofed IP address that will generate a reflection attack.

In addition to that, a DNS reply is usually larger than its corresponding query. Therefore, DNS can be used to have an amplification effect.

Recommendations

To configure securely your DNS server, proceed as follows:

Do not run an open DNS resolver on the Internet. Restrict your DNS server to answer only on requests coming from your IP range.

Do not enable recursion on your DNS server

If you need recursion, limit the authorized range of IP that can perform those requests.

Preventing HTTP(s) proxy to be used in a DDoS attack

HTTP(s) proxies are software that will perform an HTTP(s) request in place of a client and forward the response to the client. This can be used in the case of a DDOS attack to perform amplification (a small request can generate a large answer) and reflection (IP address can be spoofed).

Recommendations

To configure securely your HTTP proxy, proceed as follows:

Do not run HTTP proxies that are open on the Internet.

Limit as much as possible the range of IP of machines that can connect to your HTTP(s) proxy.